diff options
| author | Matt Keeter <matt.j.keeter@gmail.com> | 2021-02-02 20:33:03 -0500 |
|---|---|---|
| committer | Drew DeVault <sir@cmpwn.com> | 2021-02-05 10:39:21 -0500 |
| commit | d1ccb60a52d2f6d91ec65d575927afc7039df0b6 (patch) | |
| tree | 4ef851cef390f83c2c5d9560c3d9d81105027d73 | |
| parent | 32913c35cd5f36b00056d3e239c0e85f1f0ed000 (diff) | |
| download | gmnisrv-d1ccb60a52d2f6d91ec65d575927afc7039df0b6.tar.gz gmnisrv-d1ccb60a52d2f6d91ec65d575927afc7039df0b6.tar.xz gmnisrv-d1ccb60a52d2f6d91ec65d575927afc7039df0b6.zip | |
Use v3 X509 certificate
This fixes an issue where rustls failed to validate the X509v1 certificate.
Tested with Amfora, av-98, and titan (https://github.com/mkeeter/titan)
This requires fresh certificates, which could break clients with strict
trust-on-first-use policies; unfortunately, it doesn't appear to be possible
to migrate v1 certificates to v3.
| -rw-r--r-- | src/tls.c | 15 |
1 files changed, 14 insertions, 1 deletions
@@ -5,7 +5,7 @@ #include <openssl/err.h> #include <openssl/pem.h> #include <openssl/ssl.h> -#include <openssl/x509.h> +#include <openssl/x509v3.h> #include <stdio.h> #include <string.h> #include <unistd.h> @@ -33,6 +33,7 @@ tls_host_gencert(struct gmnisrv_tls *tlsconf, struct gmnisrv_host *host, X509 * x509 = X509_new(); assert(x509); + X509_set_version(x509, 2); ASN1_INTEGER_set(X509_get_serialNumber(x509), 1); X509_gmtime_adj(X509_get_notBefore(x509), 0); X509_gmtime_adj(X509_get_notAfter(x509), 31536000L); // 1 year @@ -49,6 +50,18 @@ tls_host_gencert(struct gmnisrv_tls *tlsconf, struct gmnisrv_host *host, (unsigned char *)host->hostname, -1, -1, 0); X509_set_issuer_name(x509, name); + X509V3_CTX ctx; + X509V3_set_ctx_nodb(&ctx); + X509V3_set_ctx(&ctx, NULL, x509, NULL, NULL, 0); + char alt_name[512]; + r = snprintf(alt_name, sizeof(alt_name), "DNS:%s", host->hostname); + assert(r >= 0 && (size_t)r < sizeof(alt_name)); + X509_EXTENSION* ext = X509V3_EXT_conf_nid(NULL, &ctx, + NID_subject_alt_name, alt_name); + assert(ext); + X509_add_ext(x509, ext, -1); + X509_EXTENSION_free(ext); + r = X509_sign(x509, pkey, EVP_sha256()); assert(r); |
